SECURITY AND INFORMATION GOVERNANCE STATEMENT
WHO WE ARE
MJog services are owned and operated by MJog Limited, a company registered in England and Wales with company number 02313464 whose registered office is at Unit 2 The Old School, 23 High Street, Wilburton, Cambridge, CB6 3RB. References to “we” or “us” in this statement are to MJog Limited and references to “you” are to you, the Practice using the MJog software.
KRY International AB, company reg. no. 556967-0820 (“KRY International”), MJog’s parent company, is a Swedish company that owns the ”MJog” technical platform.
Kry, also known as ‘Livi’ in the UK, adheres to the highest data and security standards, which you can read more about here.
OUR COMMITMENT TO DATA AND INFORMATION SECURITY
We have produced this security and information governance statement to help you understand the security measures we have put in place to ensure that Patient personal information that we process on your instructions is secured and kept confidential.
Although our core processing activities consist of receiving Patients’ contact details and sending them appointment reminders through the automated MJog software, in some circumstances we will also be party to the patients’ health records, for example when sending out reminders about health campaigns. Due to the potentially sensitive nature of the data we process for you, we take data security very seriously and are committed to protecting any information that is sent to us by all our customers to ensure patient confidentiality and data protection. We do this by enforcing strict security procedures and maintaining very high levels of data protection that conforms to data protection legislation in the UK and also to NHS information governance guidelines.
MJog Ltd is Version 14.1 approved for the Information Governance Statement of Compliance (IGSoC) with a rating of 100%. We have our own N3 connection approved by NHS Digital (ODS number 8HL93) (previously Connecting for Health) and have strict internal Information Governance and Information Security Management Systems in compliance with our ISO27001:2013 accreditation. We are also a GPSoC-r Lot 2 contracted supplier.
We are registered with the Information Commissioner’s Office under number Z109053X. Further information on the Data Protection Register can be found at www.ico.org.uk or by contacting us on 01353 741641.
MJOG’S SOFTWARE ENCRYPTION & INSTALLATION
The MJog messaging software is pre-tested and verified to conform to the terms and conditions of long term partnership agreements with the suppliers of your patient administration system. This ensures that MJog operates to the same high standards for the protection of Patients’ data.
During the normal operation of the MJog service, your messages will be transferred from your patient administration system to either the HSCN servers or to the mobile network via our MJog servers depending on the MJog subscription package that has been selected. When using HSCIC, MJog uses a dedicated NHSmail account for complete security. NHSmail is protected by a username and password which has to be changed regularly.
The transfer of all messages is protected using industry standard SSL and 256 bit encryption to ensure their safe transit. Our security validation is issued by Geotrust and we have been verified by them as bona-fide.
Once MJog is installed and actively sending messages, our staff can only gain access to your MJog system with your permission, whilst under the observation of your staff and for the purpose of support and maintenance under the terms of our agreement with you. Whenever any of our staff comes across patient information while we provide our services to you, their access is to be supervised by you and kept to a minimum so that they do not see more information than they need in order to provide the required support.
As the data controller, it is your responsibility to ensure that you have complied with the laws on the collection and processing of personal data, including but in no way limited to Articles 6 and 9 of the General Data Protection Regulation (EU) 2016/679.
By default, the MJog software will assume that all patients who are registered to the practice and for who you hold contact details should automatically be included in the service. However, the MJog software can be configured so that each patient must give their consent before their contact details can be used by MJog. Both options are easily configurable by the Practice during and after installation of the MJog software. It is up to you to decide which option to use. If you are in any doubt about your duties in this respect, you should take legal advice, and in this guide from the BMA or this guidance from NHS Digital may help as well.
Your appointment reminder messages and healthcare campaigns messages will require at least the patient’s mobile number and the date and time of their appointment. You always have complete control over the content of messages and can therefore limit or exclude any patient identifiable information.
MJog will not collect or hold any sensitive information about your Patients without your consent or knowledge.
MJog Limited will never use any data for any other purpose except for the delivery of messages, nor will we divulge any mobile numbers or message details to anybody for any purpose unless required to do so by law.